Categories
Linux

Use fail2ban Bind9 be used to prevent DNS amplification attacks

Foreword

Ali cloud I built for personal use dnsmasq server,DNS is used to make pollution-free,The recent disclosure of the IP,Sure enough, it was attacked - is actually being used DNS amplification attacks。

Since dnsmasq itself is not designed to provide external DNS service,So it is for security profile is not a lot (no!),But it's very easy to configure Resolution Policy (DNS resolution, such as Chinese white list),So I had the basis of,Plus a front-end to do security Bind9。

Then,Today we take a look in the end how to do security configuration Bind9。

Bind9 own security configuration

Bind9 itself supports a number of security policies,We do it well,We have been able to make very robust DNS:

edit /etc/bind/named.conf.options ,We add a custom policy:

Detailed explanation:

Hide Bind9 version information,Prevent hacker attacks against your Bind9 version loophole。

The message is forwarded to resolve open Bind9,Like dnsmasq as,Let Bind9 able to get up and not resolve on their own to resolve the root,You can avoid polluted (I here to resolve the local dnsmasq)

Only allow forwarding,Disable root parsing,External open simultaneously resolves and caches。

Close the Security Configuration,Because I want to be forwarded up to dnsmasq,The response of the former non-authoritative answer,So let Bind9 accept non-authoritative answer,It is necessary to close。You do not use the words do not have to shut。

When a domain name in the query,You may see a prompt "non-authoritative answer," the,The prompt indicates that you have requested domain name does not use DNS query server that you currently use。

Speed ​​limit for each IP,If the request exceeds per second 25 A,Will no longer respond to direct loss。

effect

Thus,You should be able at /where/log/syslog We saw a lot of overrun drop recorded,but,even so,vps still flow away like water,So,We also need to use third-party tools to deal with these IP。

Remember to restart the service service bind9 restart

Use Fail2ban automatically block hacker IP

Yes, If you've read my VPS then you should buy a spare safety measures this article,Vps that your tool should have installed,It defaults have been able to run well,But give Bind9 use,We will continue to customize some。

Custom Bind9 compatible Fail2ban

Bind9 default and does not generate a separate log,We need to put the error log to record output for Fail2ban,So edit /etc/bind/named.conf ,Another line from the end of the file insert the following statement:

This is redirected to the default log Bind9 /where/cache/bind/security.log Size remains 30M

If you use this time tail -f /where/cache/bind/security.log View,We will see a lot of records like this:

Obviously,Now, some people reflected in the use of my DNS attack,Next, we have to get rid of these IP configuration Fail2ban。

Let Fail2ban into force on Bind9

In fact Fail2ban native support of Bind9,And even its list has been built - but that strategy and we do not quite match expectations,Have their own change to change。

Edit Filter Configuration

edit /etc/fail2ban/jail.conf file,Find Bind9 configuration section in the inside,The default is as follows:

We gave it to change to change,udp and tcp enabled:

The meaning here is that once found 5 times in 1 second record,The corresponding IP will be added to the blacklist,The default time is 3600 seconds。But do not worry,This record is the record drop,Not a normal query records

Modify filtering rules

Next we look at the default rule change,The default rule is to detect the attack - and we are to be detected being used to attack ...... edit /etc/fail2ban/filter.d/named-refused.conf file,Find the following lines:

To:

Restart Service

Use the command service fail2ban restart To restart the service,This time using the command to view the status of:

You see,Has caught up a。

Summary

In short,Toss down,We get the following harvest:Bind9 can be restricted to a single IP requests per second (you can then be modified according to the needs),Once an IP server within one second and then the number of requests exceeds the limit,It will be recorded and discarded request,If more than five times over,It will blacklisted denied by the firewall (other display destination unreachable)。

A bit of discussion about UDP

As you can see,In Fail2ban profile which also indicate a very dangerous policy for UDP,Because hackers can easily forge a different address,This may be used to exploit your rules malicious blocking certain IP ,If your server this happen,You'll need to turn off of the policy for the UDP。

Further reading

Iptables-Fail2ban treated bind illegal attacks

Ten minutes to set up DNS forwarding cache server

Blocking a DNS DDOS using the fail2ban package

Original article written by Gerber drop-off:R0uter's Blog » Use fail2ban Bind9 be used to prevent DNS amplification attacks

Reproduced Please keep the source and description link:https://www.logcg.com/archives/1681.html

By R0uter's Blog

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

8 replies on “Use fail2ban Bind9 be used to prevent DNS amplification attacks”

Good webmaster,My dns server receives the attack log is as follows:
202.9.120.7#13620 (aaa.com): view g-1: rate limit drop SERVFAIL error response to 202.9.120.7/32

It may be due to enabled view? In the tutorial using your regular expression failregex = # S +( \([\S.]+\))?\: rate limit can not match drop,I ask this Log,How to modify the regular expression,So that it can match the log? Hope seek Reply,Thank you!

I use the two regular expressions you mentioned,Will not work。Is there something missing?
One entry in the log is
120.9.20.2#52774 (chef.vpn.qianxin.com): view cnc-user: rate limit drop

The example in my article is "#80 (nhl.msk.su): rate limit drop“, Your log is "#52774 (chef.vpn.qianxin.com): view cnc-user: rate limit drop“,More than mine "view cnc-user:"Such a field,If it is fixed,Then change the regularity to "#S+( \([\S.]+\))?\: view cnc-user: rate limit drop" try,If it changes,Simply become "#S+( \([\S.]+\))?\:.+\: rate limit drop" got it。

Simply put, your log format is inconsistent with mine~

Leave a Reply

Your email address will not be published. Required fields are marked *